Monday, December 23, 2024
HomeMalwareChinese Hackers Group "RedFoxtrot" Attacking Asian Countries Aerospace and Defense Networks

Chinese Hackers Group “RedFoxtrot” Attacking Asian Countries Aerospace and Defense Networks

Published on

SIEM as a Service

The research team of the Insikt Group of the information security company Recorded Future has recently recognized a connection between the hacker group RedFoxtrot and the People’s Liberation Army of China.

But, in particular with the Unit 69010 unit operating from Urumqi, the administrative center of the Xinjiang Uygur Autonomous Region. 

Thinking about Unit 69010? It is the Military Unit Cover Designator of the Second Technical Reconnaissance Bureau (MUCD). A structure within the SSF (Strategic Support Force) under the China Network Systems Department.

- Advertisement - SIEM as a Service

A recent US report has revealed that the Chinese hackers of the RedFoxtrot group have been targeting Indian defense agencies, Aerospace networks, other companies in India, and many other organizations in several Asian countries for almost six months.

While the US cybersecurity firm, Recorded Future had also issued a similar report in March this year before the fire broke out in Beijing, and in that report, they specified the RedEcho. 

The report claims that the Chinese hacker group called ‘RedEcho’ targeted all the power departments of the country, including NTPC, India’s largest power company.

Affected countries and sectors

RedFoxtrot attacks are focused on the government, telecommunications, and defense sectors in Central Asia, India, and Pakistan.

In the past six months, the RedFoxtrot Group has attacked three Indian aerospace and defense entrepreneurs. And not only that even it has also as well as telecommunications companies and government agencies in Afghanistan, India, Kazakhstan, and Pakistan.

Malware used

The malware used by the hacker of this group in their campaigns is linked to Chinese stat-sponsored hacking groups, and here is the list of malware used is mentioned below:-

  • IceFog
  • PlugX
  • RoyalRoad (RTF)
  • Poison Ivy (RAT)
  • ShadowPad
  • QUICKHEAL
  • PCShare

RedFoxtrot’s Connection to PLA Unit 69010

The RedFoxtrot Group has been active since at least 2014, targeting government, security, and telecommunications sectors across Central Asia, India, and Pakistan in a manner consistent with the possible operational scope of Unit 69010.

The security researchers claimed that through the online activities of a surmised RedFoxtrot threat actor, the links between the RedFoxtrot’s operational infrastructure and PLA Unit 69010 was recognized by the Insikt Group.

Apart from this, the analysts at Insikt Group have managed to unveil the physical address of PLA Unit 69010 headquarters (No. 553, Wenquan East Road, Shuimogou District, Urumqi, Xinjiang).

And all this becomes possible due to the weak security measures that are exercised by the members of this unit’s Operational Security (OpSec).

Mapping RedFoxtrot’s Sprawling Infrastructure

Moreover, all the associated malware samples used by the hackers in their active interventions over the past 6 months, and a large batch of RedFoxtrot infrastructure has been detected by the Insikt Group by the Network Traffic Analysis (NTA) of Recorded Future.

Researchers have also reported the high-level trends in the group’s TTPs, and here they are mentioned below:-

  • DDNS domains are used in extensive amount.
  • Often the hints regarding geographical targeting are included in DDNS domains.
  • In recent times the DigitalOcean and Choopa are mainly used as primary hosting providers.
  • AXIOMATICASYMPTOTE infrastructure is also used.

Mitigations

  • Properly configure the IDS, IPS, and network defense mechanisms.
  • You have to block and log all the TCP/UDP network traffic that involve DDNS subdomains.
  • Implement ronust security mechanisms and security tools to monitor real-time output from NTA, and detect any suspected intrusion activities.
  • Mak sure to keep Microsoft Office and Windows software updated with the latest updates.

While Christopher Ahlberg, the CEO and Co-Founder of Recorded Future affirmed:-

“The recent activity of the People’s Liberation Army has largely been a black box for the intelligence community. Being able to provide this rare end-to-end glimpse into PLA activity and Chinese military tactics and motivations provides invaluable insight into the global threat landscape.” 

“The persistent and pervasive monitoring and collection of intelligence is crucial in order to disrupt adversaries and inform an organization or government’s security posture.”

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

WhatsApp Wins NSO in Pegasus Spyware Hacking Lawsuit After 5 Years

After a prolonged legal battle stretching over five years, WhatsApp has triumphed over NSO...

PentestGPT – A ChatGPT Powered Automated Penetration Testing Tool

GBHackers come across a new ChatGPT-powered Penetration testing Tool called "PentestGPT" that helps penetration...

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Siemens UMC Vulnerability Allows Arbitrary Remote Code Execution

A critical vulnerability has been identified in Siemens' User Management Component (UMC), which could...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Threat Actors Selling Nunu Stealer On Hacker Forums

A new malware variant called Nunu Stealer is making headlines after being advertised on underground hacker...

Beware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify...

Malicious Supply Chain Attacking Moving From npm Community To VSCode Marketplace

Researchers have identified a rise in malicious activity on the VSCode Marketplace, highlighting the...